Date: Fri, 24 Nov 2017 04:42:22 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r326142 - in stable/11/sys: modules/ipfw netpfil/ipfw Message-ID: <201711240442.vAO4gM9D002192@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Fri Nov 24 04:42:21 2017 New Revision: 326142 URL: https://svnweb.freebsd.org/changeset/base/326142 Log: MFC r325960: Unconditionally enable support for O_IPSEC opcode. IPsec support can be loaded as kernel module, thus do not depend from kernel option IPSEC and always build O_IPSEC opcode implementation as enabled. MFC r325962: Do not invoke IPv4 NAT handler for non IPv4 packets. Libalias expects a packet is IPv4. And in case when it is IPv6, it just translates them as IPv4. This leads to corruption and in some cases to panics. In particular a panic can happen when value of ip6_plen modified to something that leads to IP fragmentation, but actual packet length does not match the IP length. Packets that are not IPv4 will be dropped by NAT rule. Modified: stable/11/sys/modules/ipfw/Makefile stable/11/sys/netpfil/ipfw/ip_fw2.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/modules/ipfw/Makefile ============================================================================== --- stable/11/sys/modules/ipfw/Makefile Fri Nov 24 02:39:38 2017 (r326141) +++ stable/11/sys/modules/ipfw/Makefile Fri Nov 24 04:42:21 2017 (r326142) @@ -7,7 +7,7 @@ SRCS= ip_fw2.c ip_fw_pfil.c ip_fw_bpf.c SRCS+= ip_fw_dynamic.c ip_fw_log.c ip_fw_eaction.c SRCS+= ip_fw_sockopt.c ip_fw_table.c ip_fw_table_algo.c ip_fw_iface.c SRCS+= ip_fw_table_value.c -SRCS+= opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h opt_ipsec.h +SRCS+= opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h CFLAGS+= -DIPFIREWALL # Modified: stable/11/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- stable/11/sys/netpfil/ipfw/ip_fw2.c Fri Nov 24 02:39:38 2017 (r326141) +++ stable/11/sys/netpfil/ipfw/ip_fw2.c Fri Nov 24 04:42:21 2017 (r326142) @@ -37,7 +37,6 @@ __FBSDID("$FreeBSD$"); #error "IPFIREWALL requires INET" #endif /* INET */ #include "opt_inet6.h" -#include "opt_ipsec.h" #include <sys/param.h> #include <sys/systm.h> @@ -1945,10 +1944,8 @@ do { \ break; case O_IPSEC: -#ifdef IPSEC match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); -#endif /* otherwise no match */ break; @@ -2563,7 +2560,11 @@ do { \ case O_NAT: l = 0; /* exit inner loop */ done = 1; /* exit outer loop */ - if (!IPFW_NAT_LOADED) { + /* + * Ensure that we do not invoke NAT handler for + * non IPv4 packets. Libalias expects only IPv4. + */ + if (!is_ipv4 || !IPFW_NAT_LOADED) { retval = IP_FW_DENY; break; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201711240442.vAO4gM9D002192>